Week 4 - Forensic Disk Imaging Flashcards
How do you list the hard drives connected to a linux machine?
ls /dev/sd*
ls is used to list files. They will be stored in the Dev folder. Using the /sd* part allows it to only return drives, as the drive names will start with sd.
What command would you use to make an image of a disk in linux?
dd if=/dev/ of=
if means input file
of means output file (The output file will be created in /root)
What program do you use on Kali linux to access a drive? How?
The Autopsy program.
Open the autopsy program, and open the link that it provides. This will take you to the autopsy forensics browser. You would click ‘new case’. Enter all the relevent information, and hosts. Then it will ask you to add an image file. Go to the root folder and add the image you would like to access (It will ask you if you want to calculate a hash file, do this as part of the add).. From here you can access the image.
In the kali linux autopsy program, how can you tell if a file on the disk had been deleted?
It will have its first letter replaced with an _ or it will have a tick in the ‘del’ (Deleted) column in the analysis of the disk.
If you see a file that starts with an _ then it means it was probably deleted on the disk (When files are deleted, the data may still be retained, so it can still be viewed in autopsy).
What is an issue for creating uncorrupted images even when using a write-blocker?
If a file was part way through deletion before the disk was seized, the delete operation can continue when the disk is plugged back in even when a write-blocker is being used. This is because it is carrying out a command that was already previously given to it, thus it can be hard to prevent.
What does the dd linux command do exactly?
It creates a bit-for-bit copy of disk. Thus will capture all data on the disk.